#3343 ipa-replica-install should add new NS records to all zones (for redundancy)
Opened 6 years ago by pspacek. Modified 2 years ago

ipa-replica-install --setup-dns adds NS record pointing to the new replica only to some DNS zones. NS record should be added to all existing zones managed by IPA.

There is no redundancy without proper NS records.


Note: Generally, all IPA managed zones should contain all IPA servers in NS records...

There are special cases (like installations with many replicas) where it makes sense to list only some replicas to keep size of DNS replies under 512 bytes. For those cases there should be switch like --dont-add-ns-record.

Also, NS record from all zones should be removed during replica removal. I'm not sure if it makes sense to provide switch --dont-delete-ns-record, probably not.

Implementation note: SOA mname value should be replaced with name of another (randomly picked) IPA+DNS server if current value points to server being removed.

Each IPA server overrides this value with own name by default. This change is only for maintaining database consistency.

This needs to be done by ipa-dns-install as well as it may be run on a replica to DNS-enable it. (If not done yet)
We also need to change ipa replica removal code to remove the NS record if the replica is removed.

Replying to [comment:5 simo]:

This needs to be done by ipa-dns-install as well as it may be run on a replica to DNS-enable it. (If not done yet)
We also need to change ipa replica removal code to remove the NS record if the replica is removed.

Ah, that clears the misunderstanding from today's meeting! You are right. I should explicitly mention IPA servers with DNS rather than saying all IPA servers.

Also, ipa-replica-install --setup-dns and ipa-dns-install should do the same thing.

Moving my tickets back to free-to-take pool.

Cloned bug will be only used for documenting in 7.0.

I'm investigating whether this feature will be needed for openstack designate (DNSaaS)

Scheduling for re-triage. This feature would help with automatic replica provisioning.

Partially implemented in: https://fedorahosted.org/freeipa/ticket/4149

TODO:

  • --dont-add-ns-record option
  • Add NS record to delegations (currently NS is added only to zone APEX)

Processing 4.2 backlog. This ticket was found as something that is not a priority for the nearest releases.

But as usual, please feel free to discuss your use cases or contribute patches, to make that happen sooner!

Let us consider this change in 4.4, most of the work should be there (4.2) already.

Metadata Update from @pspacek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

Metadata Update from @mbasti:
- Assignee reset

2 years ago

Login to comment on this ticket.

Metadata